How do I access a system protected by the AuthAnvil logon agent in an emergency?

There may be situations in which it becomes important to bypass the AuthAnvil Two Factor Auth Windows Logon Agent to remove it. Some examples could include:

A defect in the agent causing logon failure

No access is available to the AuthAnvil Two Factor Auth Web Service, and offline caching mode is not enabled

Need to change the Override Password without logging in

These should be rare occasions and examples that should not be taken lightly. The purpose of the agent is to enforce strong authentication, and it significantly weakens that purpose when people take it upon themselves to unload the agent.

Server 2003 and Windows XP

Microsoft makes it rather easy to install and uninstall logon agents. It’s really just a registry setting located at HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon in a key calledGinaDLL. Any DLL named in that key, and which is located in the %SYSTEM32% directory, will be loaded at boot.

To quickly remove AuthAnvil Two Factor Auth windows logon support, run the AuthAnvil Two Factor Auth Windows Logon Agent uninstall or simply delete the GinaDLL registry key item. Rebooting the computer will then allow for a normal Windows logon sequence.

If there is no access to the uninstaller, or you cannot remove the registry key, reboot the server or workstation into Safe Mode Without Networking. On Safe Mode Without Networking boot, Windows will NOT load the logon agent defined in the GinaDLL registry key. You can then login with your normal Windows Administrator credentials and either completely uninstall the AuthAnvil Two Factor Auth agent, or simply delete the GinaDLL key. Rebooting the computer will then allow for a normal Windows logon sequence.

Note: As of April 8, 2014 Windows XP is no longer being supported.

Server 2008 and Windows Vista

Likewise the Credential Provider utilizes a registry setting that loads the AuthAnvil Two Factor Auth Credential Provider at boot. You can find that in the registry atHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{ABAA8F45-5683-42b5-BC15-E44D6CBB8ED4}.

To remove a credential provider, you should boot into safe mode without networking or remotely connect to the registry and remove the registry key named above and reboot the computer.